Processing units used in safety-relevant systems typically connect to internal subsystems, such as memories and peripherals, via internal bus systems. A conventional solution for protecting the data and address signals of the bus from communication disturbances is to design redundancy into the system by adding additional communication lines which provide error correction and detection capabilities. However, due in part to “state of the art” design methodologies in which some “bus” structures are no longer physically identifiable and/or easily accessible for application of conventional error correction and detection capabilities, estimating the error probabilities of communication channels may be computationally intense and inaccurate. In typical systems, the logic that lies behind addressing interfaces of processing units, such as the logic associated with address decoders and address buses inside memories and peripherals external to the processing unit, are not protected by conventional error correction and detection capabilities.
Furthermore, conventional redundancy and/or algorithm diversity provides a typical solution for addressing fail-safe operation of processing units. For example, a processing channel may be time multiplexed to perform two (or more) diverse algorithms, the results of which are periodically cross checked for consistency and/or plausibility. Alternatively a single algorithm may be executed with temporal separation on two (or more) processing channels, the results of which are also periodically cross checked for consistency and/or plausibility.
However, if time multiplexing of a single processing channel is used, the application developer must build several diverse algorithms, define a suitable “pass” limit for the respective sets of results, and monitor the scheduling of time multiplexing. Furthermore, the failure reaction time of the system is limited to the time required to fully compute the diverse algorithms.
If dual processing of a single algorithm is used, each processing channel must be independent so that common cause failures are minimized and failure in one channel does not affect the other channel. In addition, the data used by the computation must be protected against corruption, and the software and software development process must be of a proven quality.
It would be desirable to provide comprehensive, efficient diagnostic coverage of computation faults associated with operation of a processing unit within a computational system, including fault coverage associated with communication and storage of data within internal sub-systems of peripherals and memories of the computational system.